Exploit released for new PinTheft Arch Linux root escalation flaw

A recently patched Linux privilege escalation vulnerability now has a publicly available proof-of-concept (PoC) exploit that allows local attackers to gain root privileges on Arch Linux systems.

The vulnerability, named PinTheft by the V12 security team and still waiting to be assigned a CVE ID for easier tracking, exists in the Linux kernel's RDS (Reliable Datagram Sockets) and was patched earlier this month.

"PinTheft is a Linux local privilege escalation exploit for an RDS zerocopy double-free that can be turned into a page-cache overwrite through io_uring fixed buffers," V12 said in a Tuesday advisory.

"The bug lived in the RDS zerocopy send path. rds_message_zcopy_from_user() pins user pages one at a time. If a later page faults, the error path drops the pages it already pinned, and later RDS message cleanup drops them again because the scatterlist entries and entry count remain live after the zcopy notifier is cleared. Each failed zerocopy send can steal one reference from the first page."

V12 also released a PoC exploit that steals FOLL_PIN references until io_uring is left holding a stolen page pointer, allowing it to obtain a root shell.

Exploit released for new PinTheft Arch Linux root escalation flaw

Other newsrooms on this story

Related reading

Exploit available for new DirtyDecrypt Linux root escalation flaw

Other newsrooms on this story

Related reading

Exploit available for new DirtyDecrypt Linux root escalation flaw

PoC Released for DirtyDecrypt Linux Kernel Vulnerability

DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability

PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage

Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major…

New Fragnesia Linux flaw lets attackers gain root privileges